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Abstract. Position verification in wireless sensor networks (WSNs) is 
quite tricky in presence of attackers (malicious sensor nodes), who try 
to break the verification protocol by reporting their incorrect positions 
(locations) during the verification stage. In the literature of WSNs, most 
of the existing methods of position verification have used trusted veri- 
fiers, which are in fact vulnerable to attacks by malicious nodes. They 
also depend on some distance estimation techniques, which are not ac- 
curate in noisy channels (mediums). In this article, we propose a secure 
position verification scheme for WSNs in noisy channels without relying 
on any trusted entities. Our verification scheme detects and filters out 
all malicious nodes from the network with a very high probability. 

Key words: Central limit theorems. Distributed protocol, Quantiles, 
Location verification. Security, Wireless networks. 

1 Introduction 

Secure position verification is important for wireless sensor networks (WSNs) 
because position of a sensor node is a critical input for many WSN applications 
those include tracking [11], monitoring [22] and geometry based routing [15]. 
Most of the existing position verification protocols rely on distance estimation 
techniques such as received signal strength (RSS)[1, 12], time of flight (ToF)[10] 
and time difference of arrival (TDoA)[19]. These techniques are relatively easy to 
implement, but they are a little bit expensive due to their requirement of special 
hardwares to estimate end-to-end distances. These above techniques, especially 
RSS techniques [1, 12] are perfect in terms of precision in ideal situations. The 
Friis transmission equation 1 [18] used in RSS techniques leads to this precision. 
But, in practice, due to the presence of noise in the network channel, signal 
attenuation does not necessarily follow this equation. There are many nasty 
effects those have influence on both propagation time and signal strength. So, the 
distance calculated using Friis equation usually differs from the actual distance. 
This difference, in reality, may also depend on the location of the sender and the 
receiver. A good position verification protocol should take care of these noises 
and limited precisions in distance estimation. 

In this article, we use the RSS technique for position verification, where the 
receiving node estimates the distance of the sender on the basis of sending and 



receiving signal strengths. Here we use the term node for wireless sensor device 
in WSNs, which is capable of processing power and equipped with transceivers 
communicating over a wireless channel. We consider that there are two types 
of nodes in the system, genuine nodes and malicious nodes. While the genuine 
nodes follow the implemented system functionality correctly, the malicious nodes 
are under the control of an adversary. To make the verification problem most 
difficult, we assume that the malicious nodes know all genuine nodes and their 
positions (coordinates). Once the coordinates of all genuine nodes are known, 
the main objective of a malicious node is to report a suitable faking position 
to all these genuine nodes such that it can deceive as many genuine nodes as 
possible. On the other hand, the objective of a genuine node is to detect the 
inconsistency in the information provided by a malicious node. In order to do 
this, they compare two different estimates of the distances, one calculated from 
the coordinates provided by a node and the other computed using the RSS 
technique. If these estimates are close, the genuine node accepts the sender as 
genuine, otherwise the sender node is considered as a malicious node. Malicious 
nodes, however, do not go for such calculations. They always report all genuine 
nodes as malicious and all malicious nodes as genuine to break the verification 
protocol. In this present work, we deal with such situations and discuss how to 
detect and filter out all such malicious nodes from a WSN in a noisy channel. 

Related Works: Most of the existing methods for secure position verification [4, 5, 
16. 17] rely on a fixed set of trusted entities (or verifiers) and distance estimation 
techniques to filter out faking (malicious) nodes. We refer to this model as the 
trusted sensor (or TS) model. In this model, faking nodes may use some modes of 
attacks that cannot be adopted by genuine nodes, such as radio signal jamming 
or using directional antenna that permit to implement attacks, e.g., wormhole 
attack [13, 21] and Sybil attack [7]. Lazos and Poovendran [16] proposed a secure 
range-independent localization scheme, which is resilient to wormhole and Sybil 
attacks with high probability. Lazos et. al. [17] further refined this scheme with 
multi-lateration to reduce the number of required locators, while maintaining 
probabilistic guarantees. Shokri et. al. [21] proposed a secure neighbor verifica- 
tion protocol, which is secure against the classic 2-end wormhole attack. These 
authors assumed that there is no compromise between external adversaries and 
the correct nodes or their cryptographic keys, but these adversaries control a 
number of relay nodes which results in a wormhole attack. The TS model was 
also considered by Capkun and Hubaux [4] and Capkun et. al. [5]. In [4], the 
authors presented a protocol, which relies on the distance bounding technique 
proposed by Brands and Chaum [2]. The protocol presented in [5] relies on a 
set of hidden verifiers. There are two major weakness of the TS model; firstly, it 
is not possible to self-organize a network in a completely distributed way, and 
secondly, periodical checking is required to ensure that the trusted nodes remain 
trusted. Position verification problem becomes more challenging in the case of 
without providing any trusted sensor nodes prior. Delact et. aZ.[6] considerd the 
model as the no trusted sensor (or NTS) model. Hwang et. al.[14\ and Delaet et. 
al.[&] have investigated the verification problem with the NTS model. In both 



of these articles, the authors considered the problem, where the faking nodes 
operate synchronously with other nodes. The approach in [14] is randomized 
and consists of two phases: distance measurement and filtering. In the distance 
measurement phase, all nodes measure their distances from their neighbours, 
when faking nodes are allowed to corrupt the distance measure technique. In 
this phase, each node announces one distance at a time in a round robin fash- 
ion. Thus the message complexity is O(n^). In the filtering phase, each genuine 
node randomly picks up two so-called pivot nodes and carries out its analysis 
based on those pivots. However, these chosen pivot sensors could be malicious. 
So, the protocol may only give a probabilistic guarantee. The approach in [6] is 
deterministic and consists of two phases that can correctly filter out malicious 
nodes, which are allowed to corrupt the distance measure technique. In the case 
of RSS, the protocol tolerates at most [^\ — 2 faking sensors (n being the total 
number of nodes in the WSN) provided no four sensors are located on the same 
circle and no four sensors are co-linear. In the case of ToF, it can handle up to 
[§J — 3 faking sensors provided no six sensors are located on the same hyperbola 
and no six sensors are co-linear. 

Our results: The main contribution of this article is SecureNeighborDiscov- 
ERY, a secure position verification protocol in the NTS model in a noisy channel. 
To the best of our knowledge, this is the first protocol in the NTS model in a 
noisy environment. The protocol guarantees that the genuine nodes reject all 
incorrect positions of malicious nodes with very high probability (almost equal 
to 1) when there are sufficiently many genuine nodes in the WSN. If the noise in 
the network channel is negligible, this required number of genuine nodes matches 
with the findings of [6], where the authors proposed a deterministic algorithm 
for detecting faking sensors. However, when the noise is not negligible, each node 
can only have a limited precision for distance estimation. In such cases, it is not 
possible to develop a deterministic algorithm. Our protocol based on probabilis- 
tic algorithm takes care of this problem and filters out all malicious nodes from 
the WSN with a very high probability. When the number of nodes in the WSN 
is reasonably large, this probability turns out to be very close to 1. So, for all 
practical purposes, this proposed probabilistic method behaves almost like a de- 
terministic algorithm. Our SecureNeighborDiscovery protocol can be used 
to prevent Sybil attack [7] by verifying whether each message contains the real 
position (id) of its sender or not. The genuine nodes never accept any message 
with a malicious sender location. 

2 Technical preliminaries 

We assume that each node knows their geographic position (coordinates) and 
form complete graph for communication among themselves, i.e., each node is able 
to communicate with all other nodes in the WSN. We further assume that the 
WSN is partially synchronous: all nodes operate in phases. In first phase, each 
node is able to send exactly one message to all other nodes without collision. 
Unless mentioned otherwise, we will also assume that, for each transmission. 



all nodes use the same transmission power S^. Malicious nodes are allowed to 
transmit incorrect coordinates (incorrect identifier) to all other nodes. We fur- 
ther assume that malicious nodes cooperate among themselves in an omniscient 
manner {i.e. without exchanging messages) in order to deceive the genuine nodes 
in the WSN. Each malicious node obeys synchrony and transmits at most one 
message at the beginning of first phase and one message at the end of it. 

Let dij be the true distance of node i from a genuine node j. Since node j does 
not know the location of node i, it estimates dij using two different techniques, 
one using the RSS technique and the other using the co-ordinates provided by 
node i. These two estimates are denoted by dij and dij, respectively. In the RSS 
technique, under idealized conditions, node j can precisely measure the distance 
of node i using Friis transmission equation 1 [18] given by 

where 5,f is the transmission power of the sender node i (here 5| = 5* for all i), 
Sji is the corresponding RSS at the receiving node j, and A is the wave length. 

If the sender node i gives perfect information regarding its location (i.e., 
dij = dij), then the distance estimated using the RSS technique (dij) and that 
computed from coordinates provided by node i {dij) will be equal in the ideal 
situation. However, in practice, when we have noise in the channel, they cannot 
match exactly, but they are expected to be close. But, if node i sends an incorrect 
information about its location, \dij — dij\ can be large. 

3 RSS technique in a noisy medium 

The above Friis transmission equation 1 is used in telecommunications engineer- 
ing, and gives the power transmitted from one antenna to another under ideal- 
ized conditions. One should note that in the presence of noise in the network, the 
transmission equation may not hold, and it needs to be modified. Modifications 
to this equation based on the effects of impedance mismatch, misalignment of 
the antenna pointing and polarization, and absorption can be incorporated using 
an additional noise factor e, which is supposed to follow a Normal (Gaussian) 
distribution with mean and variance u^. The modified equation is given by 

Where Sij ~ N{0, a^) and a = However, the SijS are unobserved in practice. 
So, the receiving node j estimates the distance dij using the Friis transmis- 
sion equation 1, and this estimate is given by dij = a {S- /Sji)^^^. Since Sij ~ 
7V(0,CT^), following the 3a limit, Sji is expected to lie between S*/ {a/dij)^ — Scr 
and 5| {a/dij)^ + 3a, where dij is the unknown true distance. Accordingly, dij is 
expected to lie in the range [dij{l+{3ad1j/a'^S?))-^ , dij{l-{3ad^j/a'^Sf)}-^. 
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So, if the sender sends its genuine coordinates (i.e., dij = dij), dij is expected 
to lie in the range + {Sadlj/a^Sf)}-i , dij{l - {Sadf^/a'^SI)}-^] with 

probability almost equal to 1 (~ 0.9973). The receiver node j accepts node i as 
genuine when dij lies in that range. Throughout this article, we will assume 
to be known. However, if it is unknown, one can estimate it by sending signals 
from known distances and measuring the deviations in received signal strengths 
from those expected in ideal situations. Looking at the distribution of these de- 
viations, one can also check whether the error distribution is really normal (see 
[20] for the test of normality of error distributions). If it differs from normality, 
one can choose a suitable model for the error distribution and find the accep- 
tance interval using the quantiles of that distribution. For the sake of simplicity, 
throughout this article, we will assume the error distribution to be normal, which 
is the most common and popular choice in the statistics literature. 

We assume that there are n sensor nodes deployed over a region D in a two 
dimensional plane, no of them arc genuine, and the rest ni (uq + rii = n) are 
malicious. Though our protocol does need no and rii to be specified, for the better 
understanding of the reader, we will use these two terms for the description and 
mathematical analysis of our protocol. 



3.1 Optimal strategy for malicious sensor nodes 

Here, we deal with the situation, where all malicious nodes know all genuine 
nodes and their positions, or in other words, they know which of the sensor nodes 
are genuine and which ones are malicious. Therefore, to break the verification 
protocol, each malicious node reports all genuine nodes as malicious and all 
malicious nodes as genuine. In addition to that, a malicious node tries to report a 
suitable faking position so that it can deceive as many genuine nodes as possible. 
Let Xj = (xj, Hj) j ~ 1,2, . . . , riQ, be the coordinates of the genuine nodes and 
— i^OiUo) be the true location of a malicious node. Instead of reporting its 
original position, the malicious node looks for a suitable faking position = 
{xf,yf) to deceive the genuine nodes. Note that if it sends xy as its location, 
from that given coordinates, the j-th. (j = 1,2 ... , no) genuine node estimates 
its distance by doj = ||xj — x/||, where || • || denotes the usual Euclidean distance. 
Again, the distance estimated from the received signal is rfoj = « (5'o/S'Jq)^/^. 
So, the j-th node accepts the malicious node as genuine if doj will lies between 
ai,oj = doj{l + (3aJ2^./a25,,o)}"^/^ and a2,oj = - (iadlj/a^S.^o)}''^^^- 

Now from equation 2, it is easy to check that ai,oj < doj < a^fij ^^ifij — 
a^'S'o[l/ai,oi - < eoj < ^2,0^ ^ "^S-gfl/a^ - l/dl^]. Let p^^ be the 

probability that the malicious node, which is originally located at xq, is accepted 
by the j-th genuine node when it reports x/ as its location. Now, from the above 
discussion, it is quite clear that {j = 1, 2, . . . , no) is given by 
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Naturally, the malicious node tries to cheat as many genuine nodes as possi- 
ble. Let us define an indicator variable Z^j that takes the value 1 (or 0) if the 
malicious nodes successfully cheats (or fails to cheat) the j-th genuine node 
when it sends the faked location x/. Clearly, here E{zl^) = P{zl^ = 1) = p^^^.. 
So, given the coordinates of the genuine nodes Xq = {xi,X2, . . . ,x„(,}, 0^^^° = 

E{J2"Zi ^Ij) = X]j=iPoj denotes the expected number of genuine nodes to be 
deceived by the malicious node if it pretends xj as its location. Naturally, the 
malicious tries to find a faked position xj that maximizes Oq'^° . Let us define 
^o,no ~ ^^Pxj-e.T^'o ^o,no' ^ti^re To is the set of all possible faking coordinates. A 
malicious node located at xq always looks for x/ e To such that Oq^" = Oo'no- 

Here one should note that the region Fo depends on the true location of 
the malicious node Xq, and it is not supposed to contain any point lying in a 
small neighborhood xq. Because in that case, xq and x/ will be almost the same, 
and the malicious node will behave almost like a genuine node. Naturally, the 
malicious node would not like to do that, and it will keep the neighborhood 
outside To- The size of this neighborhood of course depends on the specific 
application, and the value of 0o°no depend on that. 

3.2 Optimal strategy for genuine sensor nodes 

Let ^0 as the total number of nodes in the WSN that accept the malicious 
node located at xo (as discussed in Section 3.1) as genuine. Since a malicious 
node is always accepted by other malicious nodes, if there are no genuine nodes 
in the WSN and Xo denotes their co-ordinates, for the optimum choice of the 
faking coordinates x/, the (conditional) expected value of Ao is given by E{Ao \ 
no, Ao) = {n — no) + 6Q'^^^. Now, a genuine node does not know a priori how many 
genuine nodes are there is the WSN, and where they are located. So, at first, for 
a given no, it computes the average of E{Ao \ 710,^*0) over all possible Xq. If V 
denotes the deployment region (preferably a convex region) for the sensor nodes, 
and if the nodes are assumed to be uniformly distributed over T), this average is 
given by E(Aq \ no) = gpno ^{Ao | no, X(:))ijj(X(:))dXQ, where ijj is the uniform 
density function on T>"° . Here we have chosen ip to be uniform because it is the 
most simplest one to deal with, and it is also the most common choice in the 
absence of any prior knowledge on the distribution of nodes in V. When we have 
some prior knowledge about this distribution, -0 can be chosen accordingly. Now, 
define 0o,no = Ix^ev^o 0o°n„i^i^o)dXo. Clearly, E{Ao \ no) = (n - no) + 0o,no 
depends on no, which is unknown to the genuine node. So, it finds an upper bound 
for £^(^0 I ^0) assuming that at least half of the sensor nodes in the WSN are 
genuine. Under this assumption, this upper bound is given by [0.5nJ + 6'o,ro.5n] • 

Theorem 1. // there are n nodes in a WSN, and at least half of them are 
genuine, the expected number of acceptance for a malicious node located at xo = 

(xo,t/o) cannot exceed [0.5nJ + ^^o,[o.5ti] • 

Proof. Suppose there are no genuine nodes (and ni = n — no malicious nodes) in 
the WSN, where no > \n/2] . Define Xq = {xi, X2, . . . , x„o} and X ={xi, X2, . . . , 



C Xq. Now, for given Xq, the expected number of acceptance for the 
mahcious node focated at xq is E{Ao \ no,Xo) = supj^jr^ (^^liPoi) + (n — 

no) < supjg^^ (El=f ^ pL) + sup/e^„ {j2Z\n/2]+iPL) + {n - no) < E{Ao \ 
ln/2],X) + {no - ln/2]) + (n - no) = Oo,^n/2] + (n - [11/2]). Now, taking 
expectation w.r.t. Xo, we get E{Aq \ no) < ^o,[o.5n] + [n/2\. □ 

Note that ^^ojo.sn] a-nd the upper bound depend on the location of the 
malicious node xo. So, for a genuine node, it is an unknown random quan- 
tity. Therefore, a genuine node takes a conservative approach and computes 
~ [supxpgp 6'o,rn/2]] • Note that here, 6'p„/2] gives an upper bound of the 
expected number of genuine nodes to be deceived by a malicious node in 7) 
when there are \n/2] genuine sensor nodes in the WSN. To filter out all mali- 
cious nodes from the WSN, a genuine node follows the idea of [6] . For any node, 
it calculates the total number of acceptances (approvals) (A) and rejections (ac- 
cusations) (R), and considers the node as malicious if R exceeds A — O*^^^^] ■ Since 
A + R = n, a node is considered to be genuine if ^ > (n + ) /2. Note that if 
there are no genuine nodes and ni malicious nodes in the WSN, a malicious node, 
on an average, can be accepted by at most 9^^ +ni nodes, and it will be rejected 
by at least no — 0^^ nodes. So, for a malicious node A — R — ^p„/2i i^ expected 
to be smaller than (ni + 20*^) no ^*„/2] ^ L"/2J + - (from Theorem 
1). Therefore, if we have no > [n/2\ + 0*^, all malicious nodes are expected to 
be filtered out from the WSN. A more detailed mathematical analysis of our 
protocol will be given in Section 5. For computing ^*„/2]' ^ genuine node uses 
the statistical simulation technique [3] assuming that the sensors are distributed 
over V with density (which is taken to be uniform in this article). First it 
generates coordinates Xq for the malicious node and X for [n/2] genuine nodes 
in T) to compute p„/2] maximizing ^o'|-„/2] ■ Repeating this over several X 
one gets ^o,[n/2] as an average of the |-„/2]^- This whole procedure is repeated 
for several random choices of xo to compute 0*^n/2'\ ~ [supx(,gD (^o,rra/2]] • Note 
that this is an offline calculation, and it has to be done once only. 

4 The Protocol 

Based on above discussions, we develop the SecureNeighbor.Discovery pro- 
tocol. It is a two-phase approach to filter out malicious nodes. The first phase is 
named as AccuseApprove, and the second phase is named as Filtering. 

In the first phase., each sensor node reports its coordinates to all other 
nodes by transmitting an initial message. Next, for each pair of nodes i and 
J, node j computes two estimates of the distance , one using the RSS tech- 
nique {dij) and the other from the reported coordinates [dij), as mentioned 
earlier. If dij ^ (cti^ij, a2,ij) then node j accuses node i for its faking po- 
sition. Otherwise, node j approves the location of node i as genuine. Here 
oii,ij = dij{l + (3(TcJ|j/a^5s,i)}~5 and a2,ij — dij{l - {3adfj/a^Ss,i)}~i are 



analogs of ai^j and 0:2, oj defined in Section 3.1. To keep track of these accu- 
sations and approvals, ciacli node j maintains an array accusj, and transmits it 
to all other nodes at the end of this phase. So, in the first phase, each node j 
executes the AccuseApprove protocol which is given below. 



Protocol: AccuseApprove (executed by node j) 

1. j exchanges coordinates by transmitting initj & receiving n — 1 initi. 

2. for each received message iniU: 

3. compute dij using the ranging (RSS) technique and 

dij using the reported coordinates of i. 

4. if j^dij ^ (o;i,ij , a2,ij)j then accusj[i\ •<— true 
else accusj [i] <— false 

5. j exchanges accusaticjiis hy traiismittiiij;; occiiSi t\ r(>ceiA'iu<; " — 1 (icrus,. 

Protocol: Filtering (executed by node j) 

1. F = 4>, G = {1,2,. . . ,n}, n n 

2. repeat{A; n 

3. for each received accusf. {i € G) 

4. for each r : (r € G) 

5. if accusi[r] = true then NumAccuSr+ = 1 
else NumApprover+ = 1 

6. newF = <p. 

7. for each sensor i : {i £ G) 

8. if (NumApprovei > {k + 6'f„/2i )/2) then 

j considers i as a genuine node, 
else j considers i as a malicious node. 

filter out i, newF = newF U {i}, n n — 1. 

9. F = FU newF, G = G\ newF. 

10. for each sensor i : {i £ newF) 

11. discard accusi & corresponding i*'' entry of accusr for all r € G 

12. } until(fe ^ n) 



In the second phase, each node j executes the Filtering protocol, where 
it counts the number of accusations and approvals toward node i including its 
own message. Node j finds node i as malicious if the number of accusations 
exceeds the number of approvals minus ^*„/2i • Conversely, node i is considered 
as genuine if its number of approvals is greater than or equal to (n + ^p„/2] )/^' 
In this process, nodes that are detected as malicious nodes, are filtered out from 
the WSN. Next, it ignores the decisions given by these deleted nodes and repeats 
the same filtering method with the remaining ones. If there are n nodes in the 
WSN, a node is considered to be malicious if the number of approvals is smaller 
than (n +0J,^^^^^ )/2. Instead of ^p„/2i ' '^^ ^["72] ' ^^^^ case, ^p„'/2] 

needs to be computed again, and it needs to be computed online. Therefore, to 
reduce the computing cost of our algorithm, here we stick to ^|^„/2] • ^^te that 
the use of ^^^„/2^ also makes the filtering protocol more strict in the sense that it 



increases the probability of a node being filtered out. Node j repeats this method 
until there are no further deletions of nodes from the WSN. 

The Filtering protocol is given above. Here F and G denote the set of 
malicious and genuine nodes respectively. Initially, we set F = cj) and G = 
{1,2,..., n}. At each stage, we detect some malicious nodes and filter them out. 
Those nodes are deleted from G and included in F. At the end of the algorithm, 
G gives the set of nodes remaining in WSN, which are considered to be genuine 
nodes. It would be ideal if the set of coordinates of the nodes in G matches with 
X. However, it might not always be possible. The main objective of our protocol 
is to filter out all malicious nodes from the WSN. In the process, a few genuine 
nodes may also get removed. So, if not all, at the end of the algorithm, one would 
like G to contain most of the genuine nodes and no malicious nodes. 



5 Correctness of the protocol 

To check the correctness of the above protocol, we consider the worst case sce- 
nario as mentioned before, where all genuine nodes get accused by all malicious 
nodes, and each malicious node gets approved by all other malicious nodes. As- 
sume that there are no genuine nodes and ni malicious nodes in the WSN. Now, 
for J, J = 1, 2, . . . , riQ, define the indicator variable Z*., = 1 if the j -th genuine 
node accepts the j-th genuine node, and otherwise. So, for the j-th genuine 
node, the number of approvals Aj can be expressed as = j'^Aj > 

where the Z*_.,s are independent and identically distributed (i.i.d.) as Bernoulli 
random variables with the success probability p = P{Z* ., = 1) = 0.9973 ~ 1. If 
no is reasonably large, using the Central Limit Theorem (CLT) [8] for the i.i.d. 
case, one can show that (see Theorem 2) P{A* > {n + ^*„/2])/2) — 1 ^ ^ (''"): 
where (p = cupiulative distribution function of the standard normal distribution 

and r = — rn/^i _ Since this probability does not depend on j, the same 

2VP(i-p)("o-i) 
expression holds for all genuine nodes. 

Theorem 2. Assume that there are n nodes in the WSN, and no of them are 
genuine. If no is sufficiently large, for the j-th genuine node {j = 1, 2, . . . , no), we 

'fn/21 -2noP 



have the acceptance probability P (^A* > ILt^lziZai^ ~ 1 — <^ ^ 



2Vp(1-p)("0-1) 



Proof. Since all malicious nodes are assumed to be intelligent, none of them 
will accept the genuine node. One should also notice that the j-th genuine 
node will always accept itself. So, for this node, it is easy to see that A'^ — 
1 = Z*j, is the sum of (no — 1) independent Bernoulli random vari- 

ables, each of which takes the values 1 and with probability p = 0.9973 
and 1 — p = 0.0027, respectively. Prom the Central Limit Theorem (C.L.T.) 

for i.i.d. random variables [8], we have \/no — 1 (^ ^-i ~ N {0,p{l —p))- 
Therefore, the acceptance probability of the j-th node is P (^Aj > Illll^IitZHl^ = 



no-l- 2(no-l) ^ \^ ^2(no-l)p(l-p) / \^ 2^p(l-p)(no-l) / ' 



If n + ^p„/2] ^ 2noP < (equivalent to no > (n + ^*„/2])/-^ since p ~ 1), 
for any genuine node j {j = 1,2,..., no), the acceptance probability P{A* > 
(n + ^^*„/2])/2) is bigger than 1/2. Again, if p is close to 1 (which is the case 
here), the denominator of r becomes close to zero. So, in that case, the acceptance 
probability P{A* > {n + ^p„/2])/^) turns out to be very close to 1. Note that if 
we have no > [n/2j + 9^^, the condition no > (n + S^^s satisfied. 

Now, given the coordinates of no genuine sensor nodes Aq, the malicious 
node, which is actually located at Xq but sends as its faked location, has the 
number of acceptance Aq = ni+ X^J^i Zqj, where ni is the number of malicious 

nodes in the WSN, and Zqj ~ B{1,Pqj) for j = 1,2, . . . ,no (see Section 3.1). 

Again from the discussion in Section 3.2, it follows that E{Ao) < ni + 0*^^. So, if 
no > [n/^l +0no^ using Theorem 1, it is easy to check that ^^(^o)) > 

0.5(no — [n/2\ — 9*^^) > 0, and it is expected to increase with n linearly. So, if the 
standard deviation of Aq (square root of the variance Var( Ao)) remains boimdcd 
as a function of n, or it diverges at a slower rate (which is usually the case) , for 
sufBciently large number of nodes in the WSN, the final acceptance probability 
of the malicious node P{Ao > (n + ^*„/2])/2) becomes very close to zero. 

Theorem 3. If we have sufficiently large number of nodes in the wireless sensor 
network and uq > [n/2\ + 0*^, for any malicious node, the final acceptance 

probability P{Aa > {n + 9*^^/^-^ )/2) ~ 0. 

Proof. Define Y as the number of genuine nodes in the WSN that accept the 
malicious node as genuine. First note that Aq = ni + Y, and Y can be expressed 
as y = where the YiS are independent, and Yi ^ Ber{pi), for the piS 

being the probabilities of acceptance by genuine nodes in WSN for the best choice 
of the faking position. Clearly, E(Y) < 6*;^,, a^^ = Var{Y) = J2ZiPi(^-P^) and 
pIo = Er=i - EiY,)\^ < al^. Now, under the condition uq > [n/2j + 9*^^, 
it is easy to check that E{Aq) < (n + 9}„/2^)/2, and {n + e*„/2^)/2 - E{Aq) 
increases with n linearly. So, if a^^ = Var{Y) = Var{AQ) remains bounded 
as a function of n, using Chebychev's inequality or otherwise, one can show 
that lim„^oo ^"(^0 > ("■ + ^'[„/2])/2) = 0- But the most likely case is cr^^ — >■ 

00 as n — >■ 00. In this case, one can verify that Pno/(^no — >■ as n — >■ oo (or 
equivalently no oo). Therefore, from Liapunov's Central Limit Theorem [8], 
we have [Aq - E{AQ)]/,/Var{Ao) ~ N{0,1) and P(^o > (n + ^f„/2])/2) ^ 

1 - ^ (^i!^±^ij^^£(f£) ^ . Now, (n + ^*„/2l )/2 - ^(^o) grows with n linearly, 

but ■^Var{Ao) < ^/no/2 grows at a slower rate. So, P{Ao > (?^ + ^*„/2])/2) — 
as n oo, and for large n, P{Aq > {n + ^'p„/2])/2) — 0- Since the result does 
not depend on the location of the malicious node Xo, it holds for all malicious 
nodes present in the WSN. □ 



Theorems 2 and 3 suggest that if n is sufficiently large and no > [n/2\+ 0*^, 
all genuine nodes in the WSN have acceptance probabilities close to 1, and all 
malicious nodes have acceptance probabilities close to 0. So, it is expected that 
after the first round of filtering, if not all, a large number of genuine nodes will be 
accepted. On the contrary, if not all, almost all malicious nodes will get filtered 
out from the network. However, for proper functioning of the WSN, one needs 
to remove all malicious nodes. In order to do that, we repeat the Filtering 
procedure again with the remaining nodes. Now, among these remaining nodes, 
all but a few are expected to be genuine, and because of this higher proportion 
of genuine nodes, the acceptance probability of the genuine nodes are expected 
to increase, and those for the malicious nodes nodes are expected to decrease 
further. So, if this procedure is used repeatedly, after some stage, WSN is ex- 
pected to contain genuine nodes only, and no nodes will be filtered out after that. 
When this is the case, our Filtering algorithm stops. Note that this algorithm 
does not need the values of no and ni to be specified. We need to know n only 
for computation of 6'p„/2l ■ "^^^^ major computation involved in our 

method, but one can understand that this is an off-line calculation. If we know 
a priori the vahics of ^*„y2] different n, one can use those tabulated vahies 
to avoid this computation. Note that the condition no > [n/2j + 0*^ is only a 
sufficient condition under which the proposed protocol functions properly. Later, 
we will sec that in the presence of negligible noise (or in the absence of noise) in 
the WSN, this condition matches with that of [6], and in that case, it turns out 
to be a necessary and sufficient condition. However, in other cases, it remains a 
sufficient condition only, and our protocol may work properly even when it is not 
satisfied. Our simulation studies in the next section will make this more clear. 



6 Simulation results 



We carried out simulation studies to evaluate the performance of our proposed 
algorithm. In the first part of the simulation, we calculated the value of ^p„/2] 
using the statistical simulation technique [3], and using that ^p„/2] ' second 
part, we filtered out all suspected malicious nodes from the WSN. While maxi- 
mizing ^o'|-„/2] ^•'"•t- x/, in order to ensure that x/ and xo are not close, an open 
ball around xo is kept outside the search region J^o- Unless mentioned otherwise, 
we carried out our experiments with 100 sensors nodes, but for varying choice of 
no and n\ and also for different levels of noise (i.e., different values of u^). For 
choosing the value of cr^, first we considered two imaginary nodes (the sender 
and the receiver nodes) located at two extreme corners of V and calculated the 
received signal strength -^extreme for that set up under ideal condition (see Priis 
equation 1). The error standard deviation a was taken as smaller than or equal 
to SS = >S'ea;tr-eme/3 to cnsure that all received signal strengths remain positive 
(after error contamination) with probability almost equal to 1. 



6.1 WSN with insignificant noise (<t = IQ-^SS) 

In this case, we observe that the value of (^^|-„/2] remains almost constant and 
equal to 2p = 1.9946 ~ 2 for varying choices of xq and X. So, we have ^*„/2l ~ ^• 
In fact, in this case, 6^ turns out to be 2 for all k > 2. So, if we choose no = 52 
and rii = 48, the condition uq > [n/2j + gets satisfied, and one should 
expect the protocol to work well. When we carried out experiment, each of the 
48 malicious nodes could deceive exactly two genuine nodes, and as a result, 
the number of approvals turned out to 50. So, all of them failed to reach the 
threshold (n + ^^p„/2])/^ ~ ^^'^ they were filtered out from the WSN at the 
very first roimcl. On the contrary, all 52 genuine nodes had number of approvals 
bigger than (47 out 52 nodes) or equal to (5 out of 52 nodes) 51, and none of 
them were filtered out. So, at the beginning of the second roimd of filtering, we 
had 52 nodes in the WSN, and all of them were genuine. Since the number of 
approvals for each genuine node remained the same as it was in the first round, 
it was well above the updated threshold (52+2)/2=27. So, no other nodes were 
filtered out, and our algorithm stopped with all genuine nodes and no malicious 
nodes in the network. Needless to mention that the proposed protocol led to the 
same result for all higher values of np. But it did not work properly when we took 
no = 51 and rii = 49. In that case, all malicious nodes had 51 approvals, and 
those for the genuine nodes were smaller than or equal to 51. So, no malicious 
nodes but some genuine nodes were deleted at the first round of filtering. As 
a result, the number of approvals for the genuine nodes became smaller at the 
second round, and that led to the removal of those nodes from the WSN. Note 
that in this case, the condition hq > [n/2\ + 9ng does not get satisfied. So, here 
the condition is not only sufficient, but it turns out to be necessary as well. 

We carried out our experiment also with 101 nodes. When there were 51 
genuine and 50 malicious nodes in the WSN, the protocol did not work properly. 
But in the case of no = 52 and ni =49, it could filter out all malicious nodes. 
In that case, each malicious node had 51 approvals, smaller than the threshold 
(n + ^|^„/2])/^ ~ 51.5. But, 48 out of 52 genuine nodes were accepted by all 52 
genuine nodes. So, at the end of first round of filtering, in the WSN, we had 48 
genuine nodes only. Naturally, no other nodes were removed at the second round. 
Again this shows that no > [n/2j + 6no is a necessary and sufficient condition 
for the protocol to work when the noise is negligible. This is consistent with the 
findings of [6] , where the authors allowed no noise in the network. 

6.2 WSN with significant noise (tr = SS) 

Unlike the previous case, here ^^p„/2i '^^^ remain constant for different 

choices of xq and X. Considering n = 100, we computed 6'^p„/2] '^^^^ simu- 
lations, and they ranged between 5.9831 and 23.6964 leading to 6'|^„/2] = 
(n + ^p„/2])/2 ~ Clearly, if we start with less than 62 genuine nodes, the 
protocol fails as all genuine nodes get deleted at the first round of filtering. So, 
we started with 62 genuine and 38 malicious nodes. One can notice that here 
no < \ti/2'] + 0*r,^-, , and the condition no > [n/2] + does not get satisfied. 



But our protocol worked nicely and filtered out all malicious nodes from the 
WSN. This shows that the above condition is only sufficient in this case. At the 
first round of filtering, 54 out of the 62 genuine nodes, and 5 out of 38 malicious 
nodes could reach the threshold. So, at the beginning of the second round, we 
had only 59 nodes in the network leading to a threshold of (59+24)/2=41.5. 
Naturally, none of the malicious nodes and all the genuine nodes could cross this 
threshold, and at the end of the second round of filtering, we had only 54 nodes 
in the WSN, all of which were genuine. As expected, no nodes wore filtered out 
at the third round, and our algorithm terminated with 54 genuine nodes. 

6.3 A modified filtering algorithm based on quantiles 

Note that in the previous problem, if we start with 60 genuine nodes and 40 
malicious nodes, the protocol fails as all genuine nodes get deleted at the first 
round of filtering. Here we propose a slightly modified version of our protocol that 
works even when no is smaller than Instead of using {n+9*^^^^-^)/2, 

we use a sequence of thresholds based on different quantiles of ^^|-„/2i • first, 
wc begin with the threshold n/2 (i.e. replace ^*„/2] ^^"^ follow the protocol 

described in Section 4. In the process, some nodes may get filtered out. If there 
are n^^^ nodes remaining in the WSN, we use the threshold ('^^^^ +^p„/2])/2 O--^- 
replace ^'p„/2] ) ^^'^ apply the filtering phase of the protocol Filtering 

on the remaining nodes. Here 6'p„/2] denotes the q-th (0 < g < 1) quantile 
of ^^|-„/2] ' a'^'^ ^^^^ "^a^ estimated from the 500 values of 8^ observed 
during simulation. This procedure is repeated with thresholds (n*^*' + ^jf(/2])/^ 

for i = 2, 3, . . . , 9, and finally we use the threshold (n^^^^ + 9*^/2] "^^^ nodes 
remaining in the WSN after these 11 steps of filtering arc considered as genuine 
nodes. This algorithm worked well in our case, and it filtered out all malicious 
nodes from the WSN without losing a single genuine node. In fact, all malicious 
nodes were filtered out after the first two steps, and there were no deletions of 
nodes after that. The results for the first two steps are shown in Table 1 (in our 
case, ^p„/2i 8.6786). The total number of approvals for the deleted nodes 
are also reported in the table for better understanding of the algorithm. 

This modified version could filter out up to 44 malicious nodes. In the case of 
no = 56 and n\ = 44, only one genuine node was deleted from the WSN before 
all malicious nodes were filtered out. However, in the case of no ~ 55, ni = 45 
our algorithm failed. In that case, all genuine nodes had 54 or 55 approvals, but 
almost all malicious nodes had more than 55 approvals. So, our protocol could 
remove only 9 malicious nodes before all genuine were filtered out. 

7 Possible improvements 

In this article, wc have used the modified version of Friis transmission equation 
2 for developing our SecureNeighborDiscovery protocol. However, some- 
times one needs empirical adjustments to the basic Friis equation 1 using larger 



Table 1. First two steps of filtering (based on quantiles) with no = 60 and ni = 40. 



Step(i) Total nodes (n'**) 


Threshold 


Nodes deleted 


No. of approvals 




Genuine Malicious 




Genuine Malicious for deleted nodes 





60 


40 


50.00 





1 


< 50 




60 


39 


49.50 










1 


60 


39 


53.84 





3 


51-54 




60 


36 


52.34 





5 


55-56 




60 


31 


49.84 





5 


57-58 




60 


26 


47.34 





17 


59-61 




60 


9 


38.84 





9 


62-69 




60 





34.34 











exponents. These are used in terrestrial models, where reflected signals can 
lead to destructive interference, and foliage and atmospheric gases contribute 
to signal attenuation [9]. There one can consider Sj^/S■ to be proportional to 
GrGsiX/dij)™, where Gr and Gg are mean effective gain of the antennas and 
m is a scaler typically lies in the range [2, 4]. If rn is known, one can develop 
a verification scheme following the method described in this article. Even if it 
is not known, it can be estimated by sending signals from known distances and 
measuring the received signal strengths. 

However, our proposed protocol is not above all limitations. In this article, we 
have assumed that the underlying network topology is a complete graph. But, 
in practice, this may not always be the case. In multi-hop network topology, 
our SecureNeighborDiscovery protocol based on voting can be used in the 
neighborhood of each node, provided there are sufficiently many genuine nodes 
in the neighborhood. However, the performance of this verification protocol in 
the case of multi-hop network topology needs to be thoroughly investigated. 

8 Concluding remarks 

In this article, we have proposed a distributed secure position verification proto- 
col for WSNs in noisy channels. In this approach, without relying on any trusted 
sensor nodes, all genuine nodes detect the existence of malicious nodes and filter 
them out with a very high probability. The proposed method is conceptually 
quite simple, and it is easy to implement if S'^n/i] known. Calculation of 
is the only major computation involved in our method, but one should note that 
this is an off-line calculation. 

In the case of negligible noise in the WSN, we have seen that the perfor- 
mance of our protocol matches with that of the deterministic methods of [6]. 
However, when the noise is not negligible, each of the sensor nodes can only 
have a limited precision for distance estimation. In such cases, it is not possi- 
ble to develop a deterministic algorithm [6] . Our protocol based on probabilistic 
algorithm takes care of this problem, and it filters out all malicious nodes with 
very high probability. When the number of nodes in the WSN is reasonable large, 
this probability turns out to be very close to 1. So, for all practical purposes, our 



proposed method behaves almost hke a deterministic algorithm as we have seen 
in Section 6. Since the influence of noise on signal propagation is very common 
in WSNs, this probabilistic approach is very practical for the implementation 
perspective in the real world. 

One should also notice that compared to the randomized protocol of Hwang 
et al. [14], our protocol leads to substantial savings on the time and the power 
used for transmissions. In [14], the message complexity is O(n^), since each sensor 
announces one distance at a time in a round robin fashion. But, in the case of 
our proposed protocol, 0{n) messages are transmitted in the first phase, and 
each sensor announces all distances through a single message. 
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